How to find out who restarted Windows Server

Posted on Matthew By Matthew No Comments on How to find out who restarted Windows Server
Featured-image_new
Windows Server Event Log Viewer

If your organization has many system administrators, you may want to know who restarted the server at certain times. This post will show you How to find out who restarted Windows Server. This is to view shutdown/reboot/startup logs on Windows servers.

Windows has a great application called Windows Event Viewer that records all actions that occur on the computer.

The event log service, which is a Windows core service, manages the Windows Event Viewer. The event viewer records the event log service’s startup and shutdown history. It tracks each user’s activity while the machine is working. On the Windows Server/Desktop, and PCs, it logs errors, information messages, and warnings.

Here are other related guides on Windows Server: How to uninstall Internet Explorer from your Windows PC or Windows Server, How to install Windows Server 2022 on VirtualBox, How to Install Web Server IIS in Windows Server 2019, Network File System: How to install NFS Server on Windows Server, and how to Migrate Roles and Features to Windows Server 2022 using WSMT.

The Most Frequent Startup and Shutdown Events

There are several events associated with shutting down and restarting a Windows PC. However, in this post, we will show you the most common events:

  • Event ID 41: indicates that your Windows machine rebooted without completely shutting down.
  • Event ID 6005: This code indicates the starting of the event log service.
  • Event ID 1074: Your computer logs this event whenever a program makes your laptop restart or shut down. Additionally, this event lets you know when a user rebooted or shut down the machine using the Start menu or the CTRL+ALT+DEL keyboard shortcut.
  • Event ID 6006: If your Windows PC shuts down properly, this event is recorded.
  • Event ID 6008: This event occasionally appears in your system log when your machine abruptly or unexpectedly shuts down.
  • Event ID 6009: Identifies the name of the Windows product, version, build number, service pack number, and operating system type that is detected during boot.
  • Event ID 1076: Keeps track of the first time a user with shutdown permissions logs in to the computer after an unexpected restart or shutdown, along with a reason for the occurrence.

Please see how to detect if an application was uninstalled on Windows: Find out who has uninstalled an application via Windows Event Viewer, How to view Scheduled Events on AW using the Command Line (CLI), How to prevent a remote shutdown and restart in Windows, How to prevent users from shutting down in a Virtual Machine, and How to use command prompt to shutdown and restart your computer.

How to find out who restarted Windows Server

In this section, I will show you how to view Shutdown and Restart Log from Event Viewer. Let’s go over the whole process of getting this data from the Windows event viewer.

To open the Event Viewer, press Win + R to launch the Run dialog box and type eventvwr.

image0-1
Run dialog box

In the left pane, click on Windows Logs and select System. You’ll see a list of events that occurred while Windows was operating in the center pane. Click on the Event ID label to sort the data by the Event ID column.

image1-5
Event Viewer

If the event log is large, the sorting will fail. You can also make a filter using the Actions pane on the right. Simply choose “Filter current log.”

image2-3
Filtering the Event log

In the Event IDs field, enter 1074 or any Event ID. Under Logged, you can also choose a time period.

image3-3
Event log filter

After you have completed all of the procedures, the Windows Event Viewer will only show events connected to the shutdown.

How to View Shutdown and Restart Log Using Windows PowerShell

The PowerShell command Get-EventLog can be used to get the shutdown and reboot logs in Windows from the command line.

Enter the following command, for example, to filter the 10,000 most recent entries in the System Event Log:

Get-EventLog System -Newest 10000 | ` Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | ` Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrap

Run the following command to view just events related to Windows shutdowns and restarts:

Get-WinEvent -FilterHashtable @{logname = 'System'; id = 1074} | Format-Table -wrap

Query Via WMI

To query a remote device to get the last reboot time with Get-WmiObject

Get-WmiObject -ClassName win32_operatingsystem -ComputerName techdaPC2 | Select-Object csname, lastbootuptime

I hope you find this post helpful. If you have any questions, feel free to leave them in the comment section below.

5/5 - (1 vote)
Windows, Windows Server Tags:, , , ,

Related Posts

More Related Articles

Retrict access to external storage Restrict access to removable Storage Drives [Part 2] Windows
Windows Deployment Services How to migrate WDS and MDT to a new Windows Server Windows Server
banner How to install and configure FSRM in Microsoft Windows Server Windows Server
Implement Split Brain DNS Policies in Active Directory Implement Split-Brain DNS Policies in Active Directory Windows Server
ddf 2 Add boot and install images to WDS and configure Multicast transmission via the GUI and WDSUTIL Windows Server
How to enable or disable Microsoft Defender Antivirus Active or Mode Mode Set Microsoft Defender Antivirus to Passive or Active Mode Anti-Virus Solution

Leave a Reply